Dynamically add broker authentication to the DAC chain if Broker package is referenced (Azure#49194)

Author: christothes

sdk/identity/Azure.Identity.Broker/src/Azure.Identity.Broker.csproj

@@ -6,14 +6,15 @@
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
     <ApiCompatVersion>1.2.0</ApiCompatVersion>
     <PackageTags>Microsoft Azure Identity Broker;$(PackageCommonTags)</PackageTags>
-    <TargetFrameworks Condition="$([MSBuild]::IsOsPlatform('Windows'))">$(RequiredTargetFrameworks);net462;net6.0</TargetFrameworks>
-    <TargetFrameworks Condition="$([MSBuild]::IsOsPlatform('OSX'))">$(RequiredTargetFrameworks);net6.0</TargetFrameworks>
-    <TargetFrameworks Condition="$([MSBuild]::IsOsPlatform('Linux')) ">$(RequiredTargetFrameworks);net6.0</TargetFrameworks>
+    <TargetFrameworks Condition="$([MSBuild]::IsOsPlatform('Windows'))">$(RequiredTargetFrameworks);net462;net8.0</TargetFrameworks>
+    <TargetFrameworks Condition="$([MSBuild]::IsOsPlatform('OSX'))">$(RequiredTargetFrameworks);net8.0</TargetFrameworks>
+    <TargetFrameworks Condition="$([MSBuild]::IsOsPlatform('Linux'))">$(RequiredTargetFrameworks);net8.0</TargetFrameworks>
     <NoWarn>$(NoWarn);3021</NoWarn>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" />
+    <!-- <PackageReference Include="Azure.Identity" /> -->
+    <ProjectReference Include="..\..\Azure.Identity\src\Azure.Identity.csproj" />
     <PackageReference Include="Microsoft.Identity.Client" />
     <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" />
     <PackageReference Include="Microsoft.Identity.Client.Broker" />

sdk/identity/Azure.Identity.Broker/src/DevelopmentBrokerOptions.cs

@@ -0,0 +1,56 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Diagnostics.CodeAnalysis;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.Broker;
+
+namespace Azure.Identity.Broker
+{
+    /// <summary>
+    /// Options to configure the <see cref="InteractiveBrowserCredential"/> to use the system authentication broker in lieu of an embedded web view or the system browser.
+    /// For more information, see <see href="https://aka.ms/azsdk/net/identity/interactive-brokered-auth">Interactive brokered authentication</see>.
+    /// </summary>
+    [DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.All)]
+    internal class DevelopmentBrokerOptions : InteractiveBrowserCredentialOptions, IMsalSettablePublicClientInitializerOptions, IMsalPublicClientInitializerOptions
+    {
+        private Action<PublicClientApplicationBuilder> _beforeBuildClient;
+        /// <summary>
+        /// Gets or sets whether Microsoft Account (MSA) passthrough is enabled.
+        /// </summary>
+        public bool? IsLegacyMsaPassthroughEnabled { get; set; }
+
+        /// <summary>
+        /// Gets or sets whether to authenticate with the default broker account instead of prompting the user with a login dialog.
+        /// </summary>
+        public bool UseDefaultBrokerAccount { get; set; } = true;
+
+        /// <summary>
+        /// Creates a new instance of <see cref="DevelopmentBrokerOptions"/> to configure a <see cref="InteractiveBrowserCredential"/> for broker authentication.
+        /// </summary>
+        public DevelopmentBrokerOptions() : base()
+        {
+            _beforeBuildClient = AddBroker;
+        }
+
+        Action<PublicClientApplicationBuilder> IMsalSettablePublicClientInitializerOptions.BeforeBuildClient
+        {
+            get => _beforeBuildClient;
+            set => _beforeBuildClient = value;
+        }
+
+        Action<PublicClientApplicationBuilder> IMsalPublicClientInitializerOptions.BeforeBuildClient => _beforeBuildClient;
+
+        private void AddBroker(PublicClientApplicationBuilder builder)
+        {
+            builder.WithParentActivityOrWindow(() => IntPtr.Zero);
+            var options = new BrokerOptions(BrokerOptions.OperatingSystems.Windows);
+            if (IsLegacyMsaPassthroughEnabled.HasValue)
+            {
+                options.MsaPassthrough = IsLegacyMsaPassthroughEnabled.Value;
+            }
+            builder.WithBroker(options);
+        }
+    }
+}

sdk/identity/Azure.Identity.Broker/tests/DevelopmentBrokerOptionsTests.cs

@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Azure.Core;
+using NUnit.Framework;
+
+namespace Azure.Identity.Broker.Tests
+{
+    public class DevelopmentBrokerOptionsTests
+    {
+        [Test]
+        public void TryCreateDevelopmentBrokerOptions()
+        {
+            bool success = DefaultAzureCredentialFactory.TryCreateDevelopmentBrokerOptions(out var options);
+            Assert.IsTrue(success, "Failed to create DevelopmentBrokerOptions.");
+            Assert.IsNotNull(options, "DevelopmentBrokerOptions is null.");
+        }
+
+        [Test]
+        public void TryCreateDevelopmentBrokerOptionsFromCredentialFactory()
+        {
+            var factory = new DefaultAzureCredentialFactory(new DefaultAzureCredentialOptions());
+            DefaultAzureCredentialFactory.TryCreateDevelopmentBrokerOptions(out var options);
+            var cred = factory.CreateBrokerAuthenticationCredential(options);
+            try
+            {
+                cred.GetToken(new TokenRequestContext(new[] { "https://management.azure.com/.default" }), default);
+            }
+            catch (CredentialUnavailableException)
+            {
+                // This is expected, as the broker is not available in the test environment.
+            }
+        }
+    }
+}

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- `DefaultAzureCredential` now includes silent authentication via the authentication broker on Windows if the `Azure.Identity.Broker` NuGet package is referenced. This allows for a more seamless authentication experience when using the `DefaultAzureCredential` in Windows environments. Setting the `ExcludeBrokerCredential` property on `DefaultAzureCredentialOptions` disables this feature.
+
 ### Breaking Changes
 
 ### Bugs Fixed
@@ -16,6 +18,7 @@
 ## 1.14.0-beta.2 (2025-03-11)
 
 ### Bugs Fixed
+
 - `VisualStudioCredential` will now correctly fall through to the next credential in the chain when no account is found by Visual Studio. ([#48464](https://github.com/Azure/azure-sdk-for-net/issues/48464))
 
 ### Other Changes

sdk/identity/Azure.Identity/api/Azure.Identity.net8.0.cs

@@ -201,6 +201,7 @@ public DefaultAzureCredentialOptions() { }
         public bool ExcludeAzureCliCredential { get { throw null; } set { } }
         public bool ExcludeAzureDeveloperCliCredential { get { throw null; } set { } }
         public bool ExcludeAzurePowerShellCredential { get { throw null; } set { } }
+        public bool ExcludeBrokerCredential { get { throw null; } set { } }
         public bool ExcludeEnvironmentCredential { get { throw null; } set { } }
         public bool ExcludeInteractiveBrowserCredential { get { throw null; } set { } }
         public bool ExcludeManagedIdentityCredential { get { throw null; } set { } }

sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs

@@ -198,6 +198,7 @@ public DefaultAzureCredentialOptions() { }
         public bool ExcludeAzureCliCredential { get { throw null; } set { } }
         public bool ExcludeAzureDeveloperCliCredential { get { throw null; } set { } }
         public bool ExcludeAzurePowerShellCredential { get { throw null; } set { } }
+        public bool ExcludeBrokerCredential { get { throw null; } set { } }
         public bool ExcludeEnvironmentCredential { get { throw null; } set { } }
         public bool ExcludeInteractiveBrowserCredential { get { throw null; } set { } }
         public bool ExcludeManagedIdentityCredential { get { throw null; } set { } }

sdk/identity/Azure.Identity/src/Credentials/DefaultAzureCredentialOptions.cs

@@ -260,6 +260,12 @@ public string VisualStudioCodeTenantId
         /// </summary>
         public bool ExcludeInteractiveBrowserCredential { get; set; } = true;
 
+        /// <summary>
+        /// Specifies whether broker authentication, via <see cref="InteractiveBrowserCredential"/>, will be attempted as part of the <see cref="DefaultAzureCredential"/> authentication flow.
+        /// Note that the broker authentication flow will only be attempted if the application has a reference to the Azure.Identity.Broker package.
+        /// </summary>
+        public bool ExcludeBrokerCredential { get; set; }
+
         /// <summary>
         /// Specifies whether the <see cref="AzureCliCredential"/> will be excluded from the <see cref="DefaultAzureCredential"/> authentication flow.
         /// </summary>
@@ -318,6 +324,7 @@ public string VisualStudioCodeTenantId
 #pragma warning restore CS0618 // Type or member is obsolete
                 dacClone.ExcludeAzurePowerShellCredential = ExcludeAzurePowerShellCredential;
                 dacClone.IsForceRefreshEnabled = IsForceRefreshEnabled;
+                dacClone.ExcludeBrokerCredential = ExcludeBrokerCredential;
             }
 
             return clone;

sdk/identity/Azure.Identity/src/Credentials/DevelopmentBrokerOptions.cs

@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Microsoft.Identity.Client;
+
+namespace Azure.Identity
+{
+    /// <summary>
+    /// Options to configure the <see cref="InteractiveBrowserCredential"/> to use the system authentication broker in lieu of an embedded web view or the system browser.
+    /// For more information, see <see href="https://aka.ms/azsdk/net/identity/interactive-brokered-auth">Interactive brokered authentication</see>.
+    /// </summary>
+    internal class DevelopmentBrokerOptions : InteractiveBrowserCredentialOptions, IMsalSettablePublicClientInitializerOptions, IMsalPublicClientInitializerOptions
+    {
+        private Action<PublicClientApplicationBuilder> _beforeBuildClient;
+        /// <summary>
+        /// Gets or sets whether Microsoft Account (MSA) passthrough is enabled.
+        /// </summary>
+        public bool? IsLegacyMsaPassthroughEnabled { get; set; } = true;
+
+        /// <summary>
+        /// Gets or sets whether to authenticate with the default broker account instead of prompting the user with a login dialog.
+        /// </summary>
+        public bool UseDefaultBrokerAccount { get; set; } = true;
+
+        /// <summary>
+        /// Creates a new instance of <see cref="DevelopmentBrokerOptions"/> to configure a <see cref="InteractiveBrowserCredential"/> for broker authentication.
+        /// </summary>
+        public DevelopmentBrokerOptions() : base()
+        {
+        }
+
+        Action<PublicClientApplicationBuilder> IMsalSettablePublicClientInitializerOptions.BeforeBuildClient
+        {
+            get => _beforeBuildClient;
+            set => _beforeBuildClient = value;
+        }
+
+        Action<PublicClientApplicationBuilder> IMsalPublicClientInitializerOptions.BeforeBuildClient => _beforeBuildClient;
+    }
+}

sdk/identity/Azure.Identity/src/Credentials/InteractiveBrowserCredential.cs

@@ -31,6 +31,7 @@ public class InteractiveBrowserCredential : TokenCredential
         internal string DefaultScope { get; }
         internal TenantIdResolverBase TenantIdResolver { get; }
         internal bool UseOperatingSystemAccount { get; }
+        internal bool IsChainedCredential { get; set; }
 
         private const string AuthenticationRequiredMessage = "Interactive authentication is needed to acquire token. Call Authenticate to interactively authenticate.";
         private const string NoDefaultScopeMessage = "Authenticating in this environment requires specifying a TokenRequestContext.";
@@ -96,6 +97,7 @@ internal InteractiveBrowserCredential(string tenantId, string clientId, TokenCre
             Record = (options as InteractiveBrowserCredentialOptions)?.AuthenticationRecord;
             BrowserCustomization = (options as InteractiveBrowserCredentialOptions)?.BrowserCustomization;
             UseOperatingSystemAccount = (options as IMsalPublicClientInitializerOptions)?.UseDefaultBrokerAccount ?? false;
+            IsChainedCredential = options?.IsChainedCredential ?? false;
         }
 
         /// <summary>
@@ -243,6 +245,10 @@ private async ValueTask<AccessToken> GetTokenImplAsync(bool async, TokenRequestC
                     }
                     catch (MsalUiRequiredException e)
                     {
+                        if (UseOperatingSystemAccount && IsChainedCredential)
+                        {
+                            throw;
+                        }
                         inner = e;
                     }
                 }
@@ -256,7 +262,7 @@ private async ValueTask<AccessToken> GetTokenImplAsync(bool async, TokenRequestC
             }
             catch (Exception e)
             {
-                throw scope.FailWrapAndThrow(e);
+                throw scope.FailWrapAndThrow(e, null, IsChainedCredential);
             }
         }
 

sdk/identity/Azure.Identity/src/DefaultAzureCredentialFactory.cs

@@ -3,6 +3,8 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.Reflection;
 using Azure.Core;
 
 namespace Azure.Identity
@@ -89,6 +91,11 @@ public TokenCredential[] CreateCredentialChain()
                 chain.Add(CreateInteractiveBrowserCredential());
             }
 
+            if (!Options.ExcludeBrokerCredential && TryCreateDevelopmentBrokerOptions(out InteractiveBrowserCredentialOptions brokerOptions))
+            {
+                chain.Add(CreateBrokerAuthenticationCredential(brokerOptions));
+            }
+
             if (chain.Count == 0)
             {
                 throw new ArgumentException("At least one credential type must be included in the authentication flow.", "options");
@@ -182,6 +189,23 @@ public virtual TokenCredential CreateInteractiveBrowserCredential()
                 Pipeline);
         }
 
+        public TokenCredential CreateBrokerAuthenticationCredential(InteractiveBrowserCredentialOptions brokerOptions)
+        {
+            var options = Options.Clone<DevelopmentBrokerOptions>();
+            ((IMsalSettablePublicClientInitializerOptions)options).BeforeBuildClient = ((IMsalSettablePublicClientInitializerOptions)brokerOptions).BeforeBuildClient;
+
+            options.TokenCachePersistenceOptions = new TokenCachePersistenceOptions();
+
+            options.TenantId = Options.InteractiveBrowserTenantId;
+            options.IsChainedCredential = true;
+
+            return new InteractiveBrowserCredential(
+                Options.InteractiveBrowserTenantId,
+                Options.InteractiveBrowserCredentialClientId ?? Constants.DeveloperSignOnClientId,
+                options,
+                Pipeline);
+        }
+
         public virtual TokenCredential CreateAzureDeveloperCliCredential()
         {
             var options = Options.Clone<AzureDeveloperCliCredentialOptions>();
@@ -232,5 +256,43 @@ public virtual TokenCredential CreateAzurePowerShellCredential()
 
             return new AzurePowerShellCredential(options, Pipeline, default);
         }
+
+        /// <summary>
+        /// Creates a DevelopmentBrokerOptions instance if the Azure.Identity.Broker assembly is loaded.
+        /// This is used to enable broker authentication for development purposes.
+        /// </summary>
+        /// <param name="options"></param>
+        /// <returns></returns>
+        [UnconditionalSuppressMessage("Trimming", "IL2026",
+    Justification = "Assembly.Load is used for optional functionality. If the assembly is trimmed, the catch block handles it gracefully.")]
+        [UnconditionalSuppressMessage("Trimming", "IL2072",
+    Justification = "Loading Azure.Identity.Broker assembly is optional, method handles missing assembly gracefully")]
+        internal static bool TryCreateDevelopmentBrokerOptions(out InteractiveBrowserCredentialOptions options)
+        {
+            options = null;
+            try
+            {
+                // Check if the Azure.Identity.Broker assembly is loaded
+                Assembly brokerAssembly;
+                brokerAssembly = Assembly.Load("Azure.Identity.Broker");
+
+                if (brokerAssembly != null)
+                {
+                    // Get the DevelopmentBrokerOptions type
+                    var optionsType = brokerAssembly.GetType("Azure.Identity.Broker.DevelopmentBrokerOptions");
+                    if (optionsType != null)
+                    {
+                        // Create an instance using the parameterless constructor
+                        options = (InteractiveBrowserCredentialOptions)Activator.CreateInstance(optionsType);
+                    }
+                }
+
+                return options != null;
+            }
+            catch
+            {
+                return false;
+            }
+        }
     }
 }